Responsible Disclosure Policy

Keeping customer data safe and secure is our top priority. If you've discovered a security vulnerability, please do not share it publicly. Instead, report it to us using our security response form.

Rules for you

  • Avoid data deletion, unauthorized data access, and service disruption while testing the vulnerability you found.
  • Do not access or modify, or attempt to access or modify, data that does not belong to you.
  • Do not execute, or attempt to execute, a Denial of Service (DoS) attack.
  • Do not run any automated tools against our servers without prior coordination.
  • Do not try to abuse our servers’ resources, including but not limited to sending unsolicited or unauthorized email.
  • Do not publicly share the issue details until we confirm that it’s fixed.
  • Do not attempt to blackmail us, or try to sell us your security report.
  • When in doubt, contact us at

Rules for us

  • We will not pursue any legal action against you, if you obey the rules above.
  • We will reply to all correctly submitted reports, and we will work with you on fixing the issue.
  • We will perform our own risk assessment for every reported vulnerability.
  • If your report is not eligible, we will let you know the reason why.
  • We will let you decide whether you want to be publicly acknowledged for your report.

Hall of Fame

For eligible reports, we can acknowledge your work by putting your name and (optionally) a link to your personal page on the list of security contributors below.


  • We do not offer cash compensation for security reports.
  • For some eligible reports that we identify as particularly important, we may reward you with our branded stickers or a t-shirt. If you’d like to receive something from us, please put your mailing address in the security response form, or share it later when we confirm the eligibility of your report.

What does not qualify?

  • Vulnerabilities to timing and DOS attacks (remember, you’re not allowed to test these).
  • Vulnerabilities that have been previously reported by another user.
  • Known vulnerabilities in the components of our technological stack reported within 48 hours since their public reveal.
  • Security issues, only reproducible under highly unlikely conditions (using outdated or exotic web browsers, operating systems, or insecure internet connections).
  • Bugs or functionality that proves that a tested email address exists in our database as well as the theoretical ability to brute-force such functionality.
  • Vulnerabilities that we determine to be an accepted risk, including but not limited to:
    • Ability to sign up and use our services without confirming an email address.
    • Lack of CAPTCHAs on the forms.
    • Lack of use of hardfail (-all) on SPF records.
    • Lack of a "reject" record in DMARC.

Thanks for your support!

We're grateful to the following people who have helped us improve the security of Postmark:

Jose Pino @Fr4phc0r3
Manish Bhattacharya @umenmactech
Sasi Levi @sasi2103
Ravindra Singh Rathore @ravindra_hacks
Devesh Bhatt
Tejash Patel
Ishan Anand zero-access
Nitesh Shilpkar @NiteshShilpkar
Kamil Sevi @kamilsevi
Simon Bräuer @redshark1802
Jack Suter
Ch. Muhammad Osama @ChMuhammadOsama
Shahmeer Amir @maadssecurity
Nadi Abdellah Fatality04
Anil R. Vaghasiya Facebook, Twitter
Nithish M. Varghese Facebook
Milan A. Solanki @MilanSolanki19
Sandeep Sudhagani Facebook
Arbin Godar Twitter
Ali Wamim Khan Facebook
Sumit Sahoo Facebook
Maulik Vaidh Twitter
Vikash Chaudhary Twitter
Pranav Digambar Jagtap Twitter
Karl Aparece Hackerone
Abdul Haq Khokhar Twitter
Vishal Jain LinkedIn
Nikhil Sahoo and Ipsita Subhadarshan Sahoo Twitter
Ravela Pramod Kumar Twitter
Mohammed Israil Twitter
Hamit Cibo Twitter
Vrisha Karna Twitter
Takshal Patel @Takshal3
Ronak Nahar @naharronak

Last updated August 15th, 2019

Still need some help?

Our customer success team has your back!